Trustico website goes dark after someone drops critical flaw on Twitter

by
Dan Goodin
from Ars Technica - All content on (#3H3NN)
trustico-form-800x241.jpg

Enlarge / A screenshot demonstrating a critical vulnerability on the Trustico website before it became unavailable. (credit: @Manawyrm)

The website for Trustico went offline on Thursday morning, about 24 hours after it was revealed that the CEO of the UK-based HTTPS certificate reseller emailed 23,000 private keys to a partner.

The website closure came shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers. The vulnerability, in a trustico.com website feature that allowed customers to confirm certificates were properly installed on their sites, appeared to run as root. By inserting commands into the validation form, attackers could call code of their choice and get it to run on Trustico servers with unfettered "root" privileges, the tweet indicated.

"If this is the case it's about as bad as it gets," security researcher Scott Helme told Ars.

Read 6 remaining paragraphs | Comments

index?i=L_dzlVLSENA:k_fxhx7VkCI:V_sGLiPB index?i=L_dzlVLSENA:k_fxhx7VkCI:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments